Everyone uses Amazon! At least that’s what the cybercriminals are hoping. Cybercriminals are currently spamvertising millions of emails impersonating Amazon.com Inc. in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.

cool-mail.net responds to 84.106.114.97, responding to the same IP are also the following domains lifelovework.net; homeofficecaptioning.ru. Name servers courtesy of ns1.grapecomputers.net with the following domains also using the same name server as cool-mail.net – grapecomputers.net; kidwingz.net; itscholarshipz.net; homeofficecaptioning.ru; kidwingz.net responds to 208.91.197.54.

Both domains attempt to exploit client-side exploits served by the BlackHole web malware exploitation kit, Exploits CVE-2010-1885 in particular.

Upon execution the samples create the following registry entry, next to creating a new process:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] KB00121600.exe = “”%AppData%KB00121600.exe” so that KB00121600.exe runs every time Windows starts

Next, the samples phones back to 85.214.204.32 on port 8080, hxxp://85.214.204.32:8080/zb/v_01_b/in/ in particular.

More MD5s are known to have phone back to the same command and control C&C server in the past:MD5: aa9b1b6037afaceee96c888c948a20fe – detected by 14 out of 42 antivirus scanners as Trojan.Generic.KDV.647512

Meanwhile, users are advised to ensure that they are not running outdated versions of their third-party software and browser plugins in an attempt to mitigate the risks posed by web malware exploitation kits exploiting outdated and already patched vulnerabilities.